From be7c1a0e4877df23ee804798ca9d0c99d4a9a7be Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 22:03:19 -0400 Subject: [PATCH 1/4] CI: pin actions by SHA This eliminates the possibility of a tag being changed under us. --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8e13e01..45c4ac1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,6 +23,6 @@ jobs: run: "python -m build" - name: "Publish to PyPI" - uses: "pypa/gh-action-pypi-publish@release/v1" + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4 with: password: "${{ secrets.PYPI_TOKEN }}" From 4b923d710bfe9319ef1e5c6b3f3651c25896e938 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:06:40 -0400 Subject: [PATCH 2/4] CI: auto-fix via zizmor May include: - Avoids risky string interpolation. - Prevents checkout premissions from leaking --- .github/workflows/check.yml | 2 ++ .github/workflows/release.yml | 2 ++ .github/workflows/test.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 1336e17..918053a 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -14,6 +14,8 @@ jobs: steps: - uses: "actions/checkout@v3" + with: + persist-credentials: false - name: "Set up Python ${{ matrix.python-version }}" uses: "actions/setup-python@v4" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 45c4ac1..0fbc4e0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,8 @@ jobs: runs-on: "ubuntu-latest" steps: - uses: "actions/checkout@v3" + with: + persist-credentials: false - name: "Set up Python" uses: "actions/setup-python@v4" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2244163..4ad5988 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -20,6 +20,8 @@ jobs: steps: - uses: "actions/checkout@v3" + with: + persist-credentials: false - name: "Set up Python ${{ matrix.python-version }}" uses: "actions/setup-python@v4" From 7f167160a128bc451655bfdaaa4e633d2894ebfb Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Thu, 17 Jul 2025 23:20:04 -0400 Subject: [PATCH 3/4] CI: Restrict default permissions Reduces risk of arbitrary code is run by attacker. --- .github/workflows/check.yml | 2 ++ .github/workflows/release.yml | 2 ++ .github/workflows/test.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 918053a..fd900ed 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -1,4 +1,6 @@ name: "Check with pre-commit" +permissions: + contents: read on: push: branches: ["main"] diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0fbc4e0..9ab0fcc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,6 @@ name: "Release" +permissions: + contents: read on: release: types: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 4ad5988..fa239db 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,4 +1,6 @@ name: "Test" +permissions: + contents: read on: push: branches: ["main"] From 8a0a4693561d46f29e0e8cf78514fa86064b3523 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 18 Jul 2025 11:31:33 -0400 Subject: [PATCH 4/4] CI: add dependabot config file for GHA --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..fc9f855 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" # Location of your workflow files + schedule: + interval: "weekly" # Options: daily, weekly, monthly